II. BACKGROUND
-------------------------
The Reports Web CGI or Web Cartridge is required for the Reports
Server when using the Oracle Application Server (OAS) to process
report requests from Web clients.

III. DESCRIPTION
-------------------------
Improper validation in "genuser" parameter allows to inject arbitrary
code script/HTML that will be executed in the client browser.

This is specially serious in authentication forms where a malicious
user can obtain the credentials of authentication of other users.